MACSEC on Cisco 3750-X and FreeRADIUS 2.2.5

Stefan Paetow Stefan.Paetow at
Wed Mar 4 10:49:54 CET 2015

> Any hints on why the use_tunneled_reply is needed to get the CUI passed to the Access-Accept? For some reason the default config talks about CUI but doesn't seem to implement it to work without use_tunneled_reply - at least that's what my tests say so far. Do you reckon?

Kilian, you can update the cui policy manually by editing the policy.d/cui file. Change all 'update reply {' entries to 'update outer.reply {' if you're not using use_tunneled_reply. It *should* update the outer tunnel reply. If it doesn't, run radiusd -X (or freeradius -X on Debian/Ubuntu) and post the *full* conversation of an authentication that does not send a CUI back in the Access-Accept. 

Stefan Paetow
Moonshot Industry & Research Liaison Coordinator

t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: stefanp at
skype: stefan.paetow.janet
Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <>

More information about the Freeradius-Users mailing list